Effectively Discussing Security Risks with the Board

With over a decade of experience building, developing, and scaling high-efficiency teams at Amazon, PayPal, Bungie, and Microsoft, Kevin Hanaford currently leads security, infrastructure, and cloud operations for Remitly, an international payments company that leverages digital channels, including mobile phones, to send money internationally.

A not so long time ago in a datacenter not so far away, security used to be an afterthought. It was not only an afterthought, but it was typically a secondary responsibility for somebody who didn’t even have the word “security” in their title.

Today, you’ll be hard pressed to find a company that isn’t at least thinking about security (we do still have a way to go), and many companies now have dedicated security teams and roles, including executive-level roles and responsibilities. As such, reporting security risk to the Board of Directors is becoming commonplace. But what exactly does the Board want to hear about? And in how much detail?

Answering to the Board can be a challenge given their disconnect from the day to day, the infrequency of communication, and the complexity that typically comes with security. But the questions they want answered are relatively straight-forward:

How are we doing?

What risks should we be aware of?

Do you need any additional help?

That said, the answers to these questions can vary wildly and you should be prepared to condense a lot of information into little space, on paper or verbally.

The Pieces Necessary for Framing the Discussion

First, it’s a waste of time to try and explain all the intricacies of your job. Instead, show how your work matters in relation to reaching company goals.

You were hired as the expert, so it’s your job to bridge the gap between the nitty-gritty and how everything you’re doing ties back to business objectives. It’s unlikely that many board members are familiar with how intrusion detection works or what the advantages are to hashing passwords, but you can explain how you’ve put tooling in place to detect and prevent network and application layer attacks. For example, you can make security visible by showing how a tool like Signal Sciences blocks web layer attacks and helps you throw. Any good board member will know and understand that securing your customer’s data is of the utmost importance and why that is valuable to the company. Drawing clear connections between what you’re doing and company goals will paint a picture for the Board that shows why your work matters.

Second, bring the data that shows your security program’s successes.

Breaches only happen on days that end in “y” anymore. You’ve heard about them, the Board has heard about them, and even your relatives have likely heard about them. The fervor around security risk is at an all time high and is frequently accompanied by shocking headlines, hyperbole, and exaggeration—but you should strive to deliver the opposite. High quality and actionable data will help illustrate the success of your security program and is exactly what the Board wants to see.

Third, and arguably the most important piece, is to prepare a security response plan that builds confidence.

Reporting a given risk to the Board, especially a potentially “scary” one, usually generates concern and sometimes a degree of panic and questions like:

How vulnerable are we?

Are our customers at risk?

How do we know if we’re doing this right?

These are all common questions that immediately follow the introduction of a new risk, and that includes web application security. Developing thoughtful plans to address security risks helps build confidence that the company is in the right hands and heads off the inevitable question that any good Board will ask: “What are we going to do?”

Lastly, cover all your bases in regards to new staffing, training, tools, and services you’re evaluating.

It’s easy to focus on immediate risks to the company when reporting to the board, especially if they’re hot topics in the media (remember WannaCry?), or if your company has been dealing with a particularly persistent attacker. It’s important to remember that active threats are not the only thing that you’re dealing with. Keep the board up to date on the other areas you’re tackling such as hiring needs and progress, security education and training, development of new security tools and services (especially why they’ll make your product better), and new and emerging threats. This will help the board know that you’re not just firefighting: you’re building a mature security organization and helping uplift the security posture of the entire company, not just your Blue team.

Conclusion: Build Confidence Continually with Key Information

Reporting security risks to the Board isn’t a new or controversial topic. It’s something they should and do care about, and it’s something that you should do your best to communicate clearly and concisely. Linking security objectives to company goals, presenting risks alongside actionable data, coming to the table with a thoughtful response plan, and talking about more than just the notable topics will ensure that the Board has the information they need to feel confident in you, your security team, and the security posture of the company.